We need to be firm enough to be disciplined in adhering to security policies, implementing good habits and best practices, and paying attention to the details that matter. At the same time, we need to be flexible enough to consume, understand and respond to new information, emerging threats, changing requirements and innovative solutions.Too firm, and we become rigid; too flexible, and we become unreliable. Striking the right balance is the key to an effective security mindset.
So where should we be firm, and where should we be flexible?Given the importance of the human factor in cybersecurity—from the behavior patterns of employees to the technical skills of cybersecurity professionals—it’s crucial to remain firm in this area. Firmness here often means demanding and enforcing a high standard of behavior. This is also where firmness is difficult. Sloppy data protection, susceptibility to social engineering and lack of interest are significant headwinds in efforts to “secure” the human element. But this is also where incremental gains in security will almost always yield incremental gains in security. The fact that 100% cannot be achieved here does not mean that we should let effectiveness slip from 90% to 60%. The more resistant the organization’s people to social engineering and the better they exercise cyber hygiene, the better able the security team is to detect, isolate, contain and remediate. Similarly, our effectiveness as security professionals is very much a function of our ability to consistently implement and maintain effective controls. And the most effective controls remain the foundational ones. As noted in the CIS Critical Security Controls, the first two steps involve knowing what’s connected and knowing what’s running in the environment. Or put another way, know what you’re protecting. It turns out, however, that even these first two basic controls are hard to do well.** But a firm, disciplined approach in these areas yields great benefits, as CIS notes that effective implementation of just the first five of its 20 controls can eliminate 85% or more of attacks. This is Excellence in the Essentials. But Excellence in the Essentials is difficult to do when we are distracted. And there is no shortage of distractions. One of the most insidious is our tendency to latch onto the latest-and-greatest technology as a potential solution or to grasp at a secondary problem at the cost of the primary. For example, a secondary problem in cybersecurity is the challenge of visibility, awareness, and correlation. While understandable—nobody likes to drive in fog—it has led to expensive investments in SIEM platforms that promise to deliver those things without addressing the foundational controls necessary for real security. While we may scoff at spreadsheet-based asset inventories, an accurate spreadsheet is more valuable—from a security controls standpoint—than a flashy, but incomplete, dashboard. It’s worth remembering that submarines navigate the globe just fine without the ability to see. Finally, firmness is necessary when it comes to the details. That’s where the Devil lives, we’ve been told, and it’s as true in the Information Age as it was in the Gilded Age. It takes firmness and discipline to watch for the anomalous details, to notice when something just doesn’t look right. It takes firmness and discipline to ensure that configuration-hardening standards are adhered to. And it takes firmness and discipline to ensure timely patching. In many ways, this amounts to a willingness to do the many menial tasks of ensuring security. Uninspiring and uninteresting in many ways, those are the very details that matter. But an obsession with firmness cannot be allowed to compromise flexibility where flexibility is needed most. Flexibility is needed foremost in managing risks, since this is really about balancing risks with business needs. Here the inherent tension must be addressed within our minds—as security professionals—before they can be addressed in the organization.
While we strive to improve security wherever possible, we cannot (nor should not) believe that 100% security is the goal, since the only way to completely reduce the risks of doing something is to not do it at all (the ultimate breach, if you will). While the right balance is different for each organization, the imperative to be flexible in seeking that balance remains.Since cybersecurity is inextricably linked to technology, new developments in technology must be addressed. But technological development has never been predictable, linear or incremental, at least not all the time. This, too, demands mental flexibility. Adapting to new ways of doing business, driven by emerging technology, means that while the foundational principles remain sound, their applications may need rapid reassessment and reapplication. A rigid approach to a dynamic problem is insufficient. So, there is no detailed prescription that applies to everyone. A detailed prescription, after all, is the very rigidity that will lead to failure. If firmness is an obstruction, and flexibility is accommodation, then balance is the key. For example, much has been made of the potential uses of blockchain technology in security. There is no doubt many adaptations which have yet to be discovered. Flexibility, in this case, is about being open-minded and willing to learn. It may involve experimenting with uses in your organization. But the emergence of blockchain doesn’t mean that foundational security controls are suddenly irrelevant, so firmness, in this case, is about staying the course in maintaining those controls. So, for each of us, what are our own mental postures—the attitudes and predispositions we have as we observe, orient, decide and act—and how do these postures affect our work as security professionals? How can we balance firmness and flexibility in the right way to be the most effective? To learn more about how Tripwire help with foundational security controls, click here. *For a brief exploration of the Observe-Orient-Decide-Act mental cycle, start at 14:00 of the “Ignite”-style presentation on leadership lessons learned as a U.S. Marine, delivered at the NASCIO Conference 2016. **The recently-deployed Continuous Diagnostics and Mitigation program, managed by the U.S. Department of Homeland Security, found that on average, federal agencies had 44% more devices connected to their networks than they had expected: https://www.cyberscoop.com/dhs-cdm-cyber-tool-finds-huge-shadow-information-technology-federal-agencies/